...
PSPNG's Configuration is done via the conf/grouper-loader.properties file, in the grouper API Binary, with a paragraph for each provisioning destination, as well as an additional paragraph that enables and configures FullSync operation. There are several configuration options documented in the following spreadsheet, but most are optional: https://docs.google.com/spreadsheets/d/1FenN3hICohYR6cvr8Zxuk11VNyt82clvuouZQHgTT-w (this spreadsheet needs to move to the Grouper Wiki).
...
:
Provisioner Type | Parameter | Default | Description | Default Behavior |
All Provisioners | provisionerName | <required> | ||
groupSelectionExpression | ${utils.containedWithin(provisionerName, stemAttributes['etc:pspng:provision_to'], groupAttributes['etc:pspng:provision_to']) && !utils.containedWithin(provisionerName, stemAttributes['etc:pspng:do_not_provision_to'], groupAttributes['etc:pspng:do_not_provision_to'])} | Jexl expression that refers to stem_attributes, group_attributes, or group | Provision groups if <provisionerName> is in a group or stem provision_to attribute AND NOT in a do_not_provision_to attribute | |
grouperDataCacheTime_secs | 600 (seconds) | How long should Grouper (Group, Stem, Subject) data be cached by the provisioners? | Grouper data will be cached for 10 minutes, though it is flushed when groups change. | |
grouperGroupCacheSize | 10000 (Groups) | How many Grouper Groups should be kept in memory at a time? | ||
grouperSubjectCacheSize | 10000 (Subjects) | How many Grouper Subjects should be kept in memory at a time? | ||
needsTargetSystemUsers | FALSE | Does provisioniner need User/Subject information from the Target System? For example, do any JEXL expressions need information that is not available in Grouper Subjects? | All provisioning will be done based (only) on Grouper-Subject information. | |
needsTargetSystemGroups | FALSE | Does provisioner need group information from the Target System? For example, this information could be used in various JEXL expressions. | All provisioning will need to be done based on Grouper-Group information | |
createMissingUsers | FALSE | Only used when needsTargetSystemUsers=true: Should users be created when they cannot be found? | Users will not be created by Grouper Provisioning. Provisioning actions that require the users will fail. | |
userSearch_batchSize | 50 | Only used when needsTargetSystemUsers=true: How many users can be sought in a single Fetch? | Fetches will seek information for up to 50 users at a single time. | |
groupSearch_batchSize | 50 | Only used when needsTargetSystemGroups=true: How many groups can be sought in a single Fetch? | Fetches will seek information for up to 50 groups at a time. | |
supportsEmptyGroups | TRUE | Can groups be created without any members? If so, it is easier to create them separately from membership changes. | Yes, create groups as soon as possible. | |
sleepTimeAfterError_ms | 1000 | FullSync: Wait a bit before retrying a group that has failed. This prevents aggressive infinite loops. | 1 second pause before retrying a failed group. | |
LdapProvisioner (Abstract) | ldapPoolName | <required> | What ldap pool should be used by this provisioner | |
userSearchBaseDn | null | Where to find users? | Required if provisioner needsTargetSystemUsers=true | |
userSearchFilter | null | Jexl expression that refers to stem_attributes, group_attributes, or group | How to find users in the Target System? | |
userSearchAttributes[] | dn,cn,uid,mail,samAccountName, uidNumber,objectclass | Comma-separated list of attributes that are useful for logging and that are needed by userSearchFilter or by a subclass's ValueFormats | Reads common attributes from either Unix or ActiveDirectory LDAP servers | |
ldapSearchResultPagingSize | 100 | How many result objects can be pulled by a single request. This is small to avoid problems by default. | Break the results of a large query into fairly tiny chunks. | |
ldapUserCacheTime_secs | 600 | How long to keep User information in memory? | Keep User information in memory for 10 minutes, though user-information is flushed when users are changed by a provisioner | |
ldapUserCacheSize | 10000 | How many LDAP accounts can be kept in memory at a time, indexed by the Subject mapped to them? | Keep the last 10000 users found by searching with Subject information | |
isActiveDirectory | FALSE | Is this an active-directory server? If so, then AD-specific attribute-value-paging is enabled. Also, member (reverse user-to-group virtual attribute) is enabled. | LDAP server is treated like a non-active-directory server. Problems will occur with full-sync of large groups. | |
maxValuesToChangePerOperation | 100 | How many values can be added/removed from an attribute in a single ldap operation | Breaks large list of values that need to be added/removed from an attribute into chunks that this size. For example, 5000 values that need to be added would be added in 50 chunks of 100 values each. | |
LdapGroupProvisioner (Also Provisioner and LDAPProvisioner) | memberAttributeName | 'member' for AD <required> otherwise | What attribute represents a group's members in the Target System? | Active Directory should just work. Otherwise, this is required. |
memberAttributeValueFormat | ${ldapUser.dn} | What value (typically based on Subject or TargetSystemUser information) is written into the memberAttributeName attribute of groups? | Active Directory and GroupOfUniqueNames will typically work. | |
groupAttributeName | memberof for AD null otherwise | Virtual attribute of accounts that lists their groups | ||
groupCreationLdifTemplate | null | What LDIF should be written to the directory to add a group. Multiple lines need to be separated by || (double-pipes). The DN of the LDIF will be combined with groupCreationBaseDn> | ||
groupCreationBaseDn | <groupSearchBaseDn> | Where should groups be created? At group-creation time, this is appended to the DN that results from the groupCreationLdifTemplate. | Groups are created starting at the top of the search BaseDn. | |
groupSearchBaseDn | <required> | Where are groups found? | ||
grouperIsAuthoritative | FALSE | Should groups in the groupSearchBaseDn/allGroupSearchFilter be removed if they no longer exist in Grouper? | ||
allGroupSearchFilter | null | FUTURE: How to find all the groups that grouper-provisioning maintains. If <grouperIsAuthoritative>, then groups found via this filter will be removed during a full sync. | Groups are not removed when they are removed from Grouper nor when they no longer match the groupSelectionExpression. | |
singleGroupSearchFilter | <required> | How to find a group, based on Grouper Group (or stem) information | ||
groupSearchAttributes | cn,gidNumber,samAccountName,objectclass | Attributes that should be read from groups when searching for them. This needs to include all the attributes used in singleGroupSearchFilter. This should not include the attribute which holds the group's members. | Support common, basic singleGroupSearchFilters. | |
ldapGroupCacheTime_secs | 600 | How long should LDAP-Group information be cached in memory? | Keep LDAP Group information in memory for 10 minutes, though it is flushed when users are changed by a provisioner. | |
ldapGroupCacheSize | 10000 | How many LDAP groups to keep in memory, indexed by Grouper Group. | ||
needsTargetSystemUsers | TRUE | See above (JEXL expressions use User and Group information from the Target System) | ||
needsTargetSystemGroups | TRUE | See above (JEXL expressions use User and Group information from the Target System) | ||
LdapAttributeProvisioner (Also Provisioner and LDAPProvisioner) | provisionedAttributeName | <required> | What attribute is changed in User LDAP objects to represent group membership? | |
provisionedAttributeValueFormat | ${group.name} | What value (typically based on Subject or TargetSystemUser information) is written into the provisionedAttributeName users? | The stem:Group name is written to the attribute specified in <provisionedAttributeName> | |
needsTargetSystemUsers | TRUE | See above (JEXL expressions only use User information from the Target System) | ||
needsTargetSystemGroups | FALSE | See above (JEXL expressions only use User information from the Target System) | ||
allProvisionedAttributePrefix | null | What values of the attribute is grouper authoritative for during a full sync? null (default) or empty means that pspng will only process removals as memberships change, and won't clean up unknown attribute values. | Warning: Grouper should have full control over the target attribute to avoid complications that come from sharing attributes with multiple provisioning tools. |
LDAP Properties
LDAP configuration is done based on the ldaptive library's property configuration. A paragraph of ldap configuration is created in grouper-loader.properties for each ldap endpoint, and that paragraph is referenced by the appropariate appropriate provisioners. For example:
Code Block | ||
---|---|---|
| ||
ldap.groupOfNames.ldapUrl = ldaps:// |
hostname ldap.groupOfNames.bindDn = cn=xxxxxx,ou=xxxxx |
ldap.groupOfNames.bindCredential = |
xxxxx changeLog.consumer.pspng_groupOfUniqueNames.ldapPoolName = groupOfNames |
...
The range of properties supported by ldaptive does not seem to be assembled in once place. One simple example can be found here. Moving into more realistic examples will probably be helped by looking at the ldaptive configuration classes and the setters available within them: connections, pooling, binding (sasl, gssapi, x509, jks, etc). There is plenty of flexibility in ldaptive's configuration, but it does not seem to be designed for configuration via a single list of properties. As PSPNG is deployed into more and more ldap environments and requirements, we're going to learn, document and need to evolve how to tunnel a list of properties from grouper-loader.properties correctly into all the necessary ldaptive configuration classes. In case it is helpful, this is currently implemented in LdapProvisionerConfiguration.buildLdapConnectionPool.
...